Detecting Lateral Movement Attacks through SMB using BRO

(1)

Faculty of Electrical Engineering,

Mathematics & Computer Science

Detecting Lateral Movement Attacks

through SMB using BRO

Ikram Ullah

Master Thesis

November 2016

University Supervisors: dr. Andreas Peter Riccardo Bortolameotti Company Supervisor: Alex Van t Veer (Fox-IT)

(2)

Preface

This thesis is submitted for the degree of Master of Computer Science at the University of Twente and Technical University of Berlin. The research work was conducted under supervision of Dr. An-dreas Peter, Riccardo Bortolameotti in the Department of Electrical Engineering Mathematics and Computer Science University of Twente and Alex Van T Veer from FOX-IT Delft between March 2016 and November 2016.

(3)

Acknowledgements

First of all I would like to thank my supervisors Dr. Andreas Peter, Riccardo Bortolameotti and Alex Van T Veer.

I acknowledge Dr. Andreas Peter’s incredible guidance both in academic and administrative proce-dures.

Riccardo Bortolameotti has always endowed me incredible suggestions and support. He was always there when I needed his supervision. His guidance helped me throughout the research work and writing of thesis. I could not have imagined having a better supervisor and mentor for my thesis.

I am grateful to Alex Van T Veer for his support in evaluating my research work and adept feedbacks throughout the research work.

My sincere thanks also goes to manager of MSS deparment at FOX-IT, Christian Prickaerts, for of-fering me the thesis and internship opportunities in his department and guiding me working on this exciting topic.

Last but not the least, I would like to thank my friends and family for their encouragements and motivation.

(4)

Abstract

The purpose of this study is to develop an anomaly based intrusion detection technique to detect lateral movement attack and exerting it in BRO network analyser which is an open source network security platform. Lateral movement attack is one of the phase of Advance Persistent Threat attack during which the attacker progressively move from one system to another in the network, exploit credentials to perform pass the hash attack, escalate privileges, and finally reaching his final tar-gets which are critical systems where key data and assets resides. Lateral movement attack are performed using legitimate computer features and tools. The usage of legitimate features makes it hard to detect it. Although there are many methods of performing lateral movement attack, we have evaluated our detection mechanism against three of the most common lateral movement methods: PSEXEC Windows Management Instrumentation and Pass the hash. One of the consequences of a successful lateral movement attack can be the unauthorized access to personal and financial in-formation of a corporate or organization. This study is an initial attempt to detect lateral movement attack performed through Server Message Block protocol using BRO network analyser. Our pro-posed detection model is a multi-variant approach as it monitors and detects five different types of user behavioural anomalies in the network. Thus making it harder for any sophisticated lateral move-ment attack to be perform successfully. We model user behavioural anomalies through a supervised machine learning algorithm. The evaluation results demonstrate that this is a promising model to distinguish legitimate users from an intruder. Our detection model can be easily deployed in any environment and is inexpensive.

(5)

Introduction

Advance persistent threat (APT) is a set of stealthy and relentless hacking processes, in which a group of highly skilled cybercriminal gains unauthorised access to a targeted network, steals sen-sitive information and remains undetected while having permanent access to the network. The aim of APT is not to cause damage to the network but to have constant access to the sensitive data. Unlike traditional threats, APTs are fully-customized sophisticated attack against a specific target, planned and designed to thoroughly bypass the security measures of the target. APTs are initiated with stealing legit credentials, phishing, and execution of malware on the victim machine. For vic-tims of APT the implications are huge which includes lost of private data, trade secrets, government secrets, diminished value to brand and reputation, lost of revenue, and cost of technical support. In the recent years large number of corporates became victims of APT resulted in significant losses, including Sony pictures [84], Target [85] and JPMorgan chase [86]. There are six stages of an APT attack: intelligence gathering, point of entry, control command and communication, lateral movement, sensitive data discovery, and exfiltration of sensitive data.

Lateral movement which is also known as east-west movement is a later stage of an APT attack in which the attacker tries to establish and maintain access to the compromised network and increases his footprints by compromising other computers, servers and infrastructure components. During the lateral movement of the APT attack, the attacker wanders further in the inner network to seek more hosts, servers, services and data. The impact of APT attack increases as the attack proceeds to the lateral movement phase because at this stage the attacker remain undetected, gains more access privileges while continuously further exploiting the network. Once the attacker exploits one machine in the network, he can use different techniques and tools to remain persistent in the network and move laterally to further compromise the network. The attacker avoids detections by using legiti-mate administrative tools. For incident and response team (or system administrator) detecting lateral

(8)

2 CHAPTER1. INTRODUCTION

movement attack at the early stages is very important before the whole network is compromised and the attacker successfully removes the traces. In 2014 1,000 retail businesses were hit by remote attacks[18]. Ultimately, most retail attacks started with stolen credentials, which enabled attackers to move laterally, harvesting credentials along the way until they reached their final destination. Single factor authentication (username and password) makes attacker job easy because once he steals the administrator’s username and password then he uses legitimate tools: PSEXEC[99], WMI[101] and techniques (Pass the Hash) to remotely access the system and install persistent backdoors. With valid administrator credentials the attacker uses dumping tools: PROCDUMP[16] to dump the usernames and hashes and access other machines on the network. The majority of system ad-ministrators implement Credentials reuse. Credential reuse means using the same username and password for multiple accounts or machines. Credential reuse makes the system administrators job easier but with credential reuse the system administrators are not only expediting his own adminis-trative tasks but also making attacker task easier. So, for the attacker to compromise one machine means compromise almost the whole network especially in an environment with all the machines having same local system administrator account. Detecting lateral spread is very difficult because the attacker subterfuge and behaves as authorised users. Below are listed the methods used by attackers to move laterally in the network:

(a) Credential Harvesting. The term credential harvesting is also called account harvesting which refers to the attacking technique or activities of grabbing legitimate user ID and passwords to gain access to target systems for illegal or malicious purposes[115]. In large environments attacker wants to compromise all the hosts in the network, to do so he needs to steal the credentials of all the hosts in the network. The attacker can steal or exploit credentials (passwords, hashes) using social engineering techniques, use defaults credentials, perform phishing attack or dumping Local Security Authority Subsystem Service of the victim machine as described in Section 4.0.3. Hashes are used to perform pass the hash attack which is also described in Section 4.0.3.

(b) PersistencyPersistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access[116]. For the attacker it is important to gain persistent access to the network. Persistency techniques are: installing backdoor, creating new accounts in case credentials are changed, and changes the network configuration to keep his existence hidden.

(9)

1.1. OVERVIEW OF EXISTING SOLUTIONS 3

firewall installed, and other network information. This knowledge is important because it helps the attacker to avoid detection. Attacker can use Netstat[117] tool for internal reconnaissance.

(d) Escalate privileges.Most of the time the attacker motive is to go much deeper into the network by escalating privileges based on the knowledge the attacker acquired during reconnaissance. Tools like PSEXEC[99], and WMI [101], allows the attacker to access, scheduling tasks and exe-cute malicious code on other machines on the network using the knowledge and credentials he obtained in the previous three steps (Credential harvesting, remain persistence, internal recon-naissance).

1.1 Overview of existing solutions

The number and complexity of cyber-attacks are ceaselessly increasing while the existing security measures is far lagging behind in detecting sophisticated attacks such as lateral movement. Jasek et al.[93] proposed honeypots to detect lateral movement which is unnecessarily expensive. Honeypots are expensive to maintain because if virtual machines are not available, one physical computer must be maintained for each honeypot, which can be exorbitantly expensive[118]. Example: Honeynet. Balduzzi et al.[91] suggests the identification of lateral movement attack by detecting malicious URLs that spreads malware and backdoors. The attacker can bypass this approach by changing URL to spread malware. Bencsth et al.[92] proposed detection approach that detect one specific malware that is frequently used in APT attack including lateral movement, however, having a detection mech-anism so tailored for a specific malware it makes the entire detection unable to detect new malware that behave differently. Bass[96] detection approach implements different types of anomaly sensors which include sensors to monitor user activities, sensors to monitor host activities, and sensors to monitors application activities. These sensors are trained for a subsequent amount of time. Any new activity in the network is considered anomalous. The shortcoming of this approach includes com-plexity, costly, and host behaviour swiftly changes.

(10)

4 CHAPTER1. INTRODUCTION

lateral movement cannot effectively detect a general scenario of lateral movement without relevant changes to the underlying infrastructure.

1.2 Research Question

Although there are many methods through which attacker can perform lateral movement, the problem being addressed in this study is attacker performing lateral movement attack through Server Message Block protocol. Server Message Block (SMB) protocol is installed in all Windows Operating Systems. SMB protocol is used to share files and printers on a network. Numerous vulnerabilities exist in SMB protocol. The attacker can exploit these vulnerabilities and perform lateral movement attack against the windows machines and compromise the whole network. Exploitations of SMB vulnerabilities have immense impact because of its high percentage usage in critical infrastructure such as banking and finance, electricity grids, law enforcement agencies, aviation and medical centres. Also in the real world most of the communication protocols are interlinked. Vulnerability in one protocol can lead to exploitation of other protocols or machines. For example vulnerability in authentication protocols (like NLTM, Kerberos) can lead to exploitation of SMB protocol[119]. New Vulnerabilities are emerging everyday, it is hard and expansive to patch all the vulnerabilities. In some cases vulnerabilities are exposed when it has already made considerable amount of damages. Being vigilant with proper detection technology can limit the adverse impact of these attacks. In this work we want to develop a real-time monitoring approach for the detection of lateral movement attack. The intrusion detection approach we are investigating is anomaly based. Anomaly based intrusion detection systems are a better alternative for signature-based intrusion detection systems, which detects both known and unknown attacks. The main challenge in developing anomaly based intrusion detection system is to correctly differentiate between anomalous traffic and normal traffic, because if normal activities are flagged as intrusion it can generate false alarms which can undermine the network performance and also an additional unnecessary work for the technical team. Considering teh lack of comprehensive lateral movement detection techniques, with this work we want to answer the following main research question: How can we detect lateral movement attacks over SMB using anomaly based approach?

1.3 Our proposed approach

We propose a novel framework that combines different techniques based on data analytics. Our pro-posed model analyses multiple vectors of anomalies. While analysing malicious lateral movement

(11)

1.3. OUR PROPOSED APPROACH 5

traffic, we find out five crucial anomalies related to lateral movement attack and write five policies to detect these anomalies. A brief description of each anomaly is discussed below:

(1) Instead of following standard NTLM authentication procedure which requires correct password as a mean of authentication, the attacker bypass the normal authentication procedure by providing hashes, which generates empty session key. Such contravention of authentication procedure can be detected via empty session key. A policy is written that detects empty session key.

(2) The attacker might try to connect to multiple hosts at the same time. Such an aggressive mali-cious behaviour is detected by most of the commercial Intrusion detection systems and firewalls which includes policies that controls the number of connections or session initiated from a spe-cific host. Attacker invades firewall and IDS, by generating random hostname for each connec-tion. These random hostnames have much high randomness entropy. A policy is written that calculates the randomness entropy of each hostname, and checks if its above a certain scale.

(3) To escalate the privileges the attacker might perform brute force attack by trying many passwords hoping to eventually guess the passwords correctly. K-nearest neighbour algorithm is trained with the number of failed login attempts during the normal network behaviour and malicious network behaviour. Based on the training, the machine learning algorithm provides a threshold that can be considered malicious. The threshold is used in policy that monitors failed login attempts over a specified time interval.

(4) Our models monitors the flow of data along IPC$ share. K-nearest neighbour machine learning algorithm is trained with the flow of data towards IPC$ in normal network behaviour and malicious network behaviour. Based on the training, the machine learning algorithm provides a threshold that can be considered malicious. The threshold is used in policy that monitors access to IPC$ over a specified time interval.

(5) Thereupon the upload of malicious executables to IPC$, the attacker install these executables as services. K-nearest neighbour machine learning algorithm is trained with number of services created or started in normal network behaviour and malicious network behaviour. Based on the training, the machine learning algorithm provides a threshold that can be considered malicious. The threshold is used in policy that monitors start and creation of services over a specified time interval.

(12)

network administrator an early glimpse of intrusion before it gets successful and persistent. The characteristics that makes our approach superior are easy to develop and deploy, inexpensive with better detection capabilities, and very limited human interaction needed. Moreover this model is equally advantageous for small and large network environments. The limitation of our approach is that some features requires a large datasets in order to be precise. This is because they are based on the K-nearest neighbour algorithm. However, in a company setting this is not a big problem, because this large dataset can be captured in one or few days. It is worth to mention that our approach works also with limited datasets, although it may raise a higher number of false positives and false negatives.

1.4 Report organization

The remainder of this report is organized as follows. Chapter 2, describes related work. Chapter 3 provides the reader with background knowledge about Server Message block protocol, BRO net-work analyser and K-nearest neighbour algorithm. Chapter 4 lateral movement attack techniques, which tools can be used to perform lateral movement attack and how these attacks are performed. Chapter 5 discusses our detection model and the evaluation of our model. Finally, in Chapter 6, conclusions and recommendations are given.

Chapter 2

Anomaly based Intrusion Detection

Techniques

An attempt to compromise the security of a host or a network is called an intrusion. An intrusion can be disrupting the system or service performance, illegally accessing sensitive information, system modification by installing persistent backdoors, lateral movement etc. The objective of intrusion de-tection system is to detect intrusions that exploit the Confidentiality, Integrity and Availability of a host or network. Large resources are concentrated on the development of intrusion detection systems

(13)

2.1. HOST BASED INTRUSION DETECTION SYSTEMS 7

to detect any internal or external intrusion. Considering the continuous expansion of Internet and the continuous spurt of new attacks, it is getting harder and harder to provide adequate detection mechanism against the vast number of networks based attacks. Many techniques have been sug-gested to detect the large number of attacks. There are many challenges in developing a full-fledged anomaly based intrusion detection system because the network traffic is so dynamic and complex that it is hard to differentiate between normal and abnormal traffic. Also there are risks of false in-trusion alarms. Understanding and predicting all the abnormal traffic patterns remain a long time challenge. Accuracy is the essential requirement of an intrusion-detection system, its extensibility and adaptability are also critical in todays network computing environment [50]. Intrusion detection system monitors host or network traffic for malicious activities or policy violations.

2.1 Host based intrusion detection systems

Intrusion detection system installed in the host is known as Host based intrusion detection system (HIDS). HIDS are among the first intrusion detection systems built [58]. Simple statistical methods can be used to model normal user or program behavior. Deviation from the normal behavior is flagged as anomaly. Examples of detecting anomalies at host level are, detecting anomalous program behavior [44] and detecting intrusions using system calls [45].

2.2 Network based intrusion detection systems

Intrusion detection system installed for the security of network is known as network based intrusion detection system (NIDS). In case of NIDS, depending on the type of information thats is used for performing the detection; one can distinguish between traffic and application models [58]. NIDS that use traffic models monitors inbound and outbound traffic to all devices in the network. While the application models use application specific knowledge. Application models are used to detect attacks against specific applications or services.

2.3 Intrusion detection types

2.3.1 Anomaly based intrusion detection system

(14)

8 CHAPTER2. ANOMALY BASEDINTRUSIONDETECTIONTECHNIQUES

Semi-supervised anomaly detection methods are trained with normal traffic datasets. Unsupervised anomaly detection do not requires any training. An anomaly detection approach usually consists of two phases: a training phase and a testing phase. During the training phase, the normal traffic profile is defined; while in the testing phase, the learned profile is applied to new data [31].

Anomaly-based NIDS can be classified according to:

(i) The underlying algorithm used.

(ii) Whether to analyze the features of each packet singularly; Packet oriented or of the whole connection; Connection oriented.

(iii) Type of data analyzed. In particular, whether to focus on the packet header or on the payload [59].

(a) Packet oriented NIDS

In packet oriented NIDS each packet is analyzed and anomalous attacks are detected by inspect-ing packet payload, packet header or the combination of both. Header information is mainly useful to recognize attacks aiming at vulnerabilities of the network stack implementation or probing the operating system to identify active network services. On the other hand, payload information is mostly useful to identify attacks against vulnerable applications [42].

(b) Connection oriented NIDS

Connection oriented NIDS considers features of the whole communication before establishing whether it is anomalous or not. Theoretically, a connection-oriented system could use as in-put the content (payload) of a whole communication (allowing at least in principle a more pre-cise analysis), but this would require a long computational time, which would seriously limit the throughput of the system. In practice, connection- oriented systems typically take into account the number of sent/received bytes, the duration of the connection and layer 4 protocol used [59].

2.3.2 Signature based intrusion detection system

(15)

2.3. INTRUSION DETECTION TYPES 9

particular name of the virus and to detect DOS attack, signature is written that detects the number of times a command is issued. Also signatures can be written to detect keywords in the traffic. Below are two examples of signature based intrusion detection system [60][61].

if (traffic contains x90+de[^_\r _\n]30) then attack detected

Snort implements Signature based intrusion detection. Below is an example of Snort signature

alert tcp any any > any _\ (flow: establish, to server; _\ content: foo; msg: detected foo;)

2.3.3 Rule based intrusion detection system

In rule based intrusion detection system, rules are formed from normal traffic patterns or rules can also be formed to represent malicious behavior. These rules are saved in the database. During the detection phases these rules are applied to the network traffic to identify if the traffic is normal or malicious. For instance rules can be, remote users can login with username and password not with username and hashes or no user is allowed to remotely install applications in other users computers.

2.3.4 Advantages and Disadvantages of Anomaly and Signature based IDS

(16)

increasing, largely new attacks are conducted, so in such circumstances signature based IDS is not an appropriate approach to detect the large number of new attacks, in contrast anomaly based IDS can cope well with the emerging new attacks.

2.3.5 Anomaly based intrusion detection techniques

Anomaly based intrusion detection comprise of three techniques Data mining anomaly detection, machine learning anomaly detection and statistical anomaly detection [31].

(a) Data mining and machine learning technique

Data mining anomaly detection generally refers to the process of extracting useful rules from large stores of data. The recent rapid development in data mining contributes to developing wide variety of algorithms suitable for network intrusion detection problems. In Data mining based anomaly detection technique, the audit data is classified as normal or anomalous based on set of rules and patterns, or associating events together. The advantage of this technique is that it is simple to define rules but the disadvantage is that it is hard to represent different types of information. Machine Learning is an artificial intelligence technique that stores the user-input stream of commands in a vectorial form and is used as a reference of normal user behavior profile. These profiles are then grouped in a library of user commands having certain common characteristics [55]. In Machine learning based anomaly detection technique, the system learns the normal behavior of a program, improves its execution strategy by acquiring new informa-tion about the program, thus when the program deviates from the normal behavior, the system triggers an alarm.Although there are large number of challenges linked with machine learning algorithms, they do perform very well in most networks and the advantages of machine learning based anomaly detection are that it can avoid manual configuration and customization for differ-ent industrial control system networks.

(17)

machine (SVM), Bayes net, decision tree (J48), and boosted J48 are applied. The implemen-tation of DExtor in large networks is unrealistic because it is efficient only for 42KB/sec network traffic.

Harinee et al. [50] proposed intrusion detection system implements fuzzy class association rule mining method that is based on Genetic Network Programming (GNP). Association-rule mining is used to discover association rules among different attributes in network traffic dataset. The proposed technique can be applied to Network related databases that contains network architec-ture attributes. Fuzzy rules can be defined based on the type of service or user normal activities. The limitation of this work is that it is designed for small ad hoc networks and its capability is not shown statistically like which attacks were detected with this technique and what is its efficiency for large networks.

Zhang et al. [54] implemented data mining algorithm called Random forests algorithm to achieve unsupervised network based anomalies detection. A random forests algorithm build patterns of network services (i.e. http, ftp, telnet) from the traffic data. Any traffic that is not consistent with the normal traffic patterns is considered as anomalous. The limitation of this approach is that processing is done offline using Wireshark so such a system is not applicable for real time anomalies detection.

Gu et al. [30] develop network anomaly detection technique thats based on maximum entropy and relative entropy techniques. The normal traffic packets are divided into two dimensional packet classes according to packets protocol information and destination port numbers with total of 2348 packet classes. This approach comprises two phases. In phase one Maximum entropy baseline distribution of the packet classes in the training data is calculated through maximum en-tropy estimation. The training data is labelled and packets labelled as anomalous are removed. In the second phase the observed network traffic trace is given as input and relative entropy is used to compare the empirical distribution of observed packet classes to baseline distribution. Variation in the two distributions determines that the packet classes are different from the training dataset and indicates an anomaly. The limitation of this approach is that the labelling of normal traffic is done offline and manually, so for large networks and datasets this technique is time con-suming and error prone.

(18)

anomaly detection to detect IP traffic anomalies in specific Industrial Control System (ICS) Net-work. Their technique is based on forming separate models for different functional level such as device levels, cell levels, and the plant levels. The network features that are considered for anomaly detection are;

(i) Throughput

(ii) Any large variation in the throughput of ICS network can be considered as anomaly

(iii) IP address-Port Pairs, new IP-Port pairs is clear indication of new (malicious) service

(iv) Average packet size, average packet size can be an identification of normal traffic

(v) Timing; packet timing and interval between packets from a network node can be used to identify the traffic type,

(vi) Flow Direction and duration; variations in ICS traffic direction or duration can be an identifi-cation of anomaly e Payload data, payload data can be used to detect malicious actions

(vii) Network Protocol, to static networks sign of new protocol or changes in protocol settings is identification of anomaly

(viii) Connectivity number; in ICS networks the number of connections for each system is static.

Tools like Wireshark[106], BRO[109] are used to extract these features from the traffic. The lim-itation of this approach is that it is literally designed for ICS network. The ICS network traffic is quite uniform and predictable compare to general ICT network traffic, which are unpredictable. Also this approach is based on usage of combination of many tools and suits offline analysis not real time.

Fiore et al. [49] network anomalies detection approach is based on machine learning using Restricted Boltzmann machine (RBM). RBM is an artificial neural network that can learn prob-ability distribution from its input. Such model is first trained on normal traffic dataset and then used to classify previously unseen or suspicious events. The tool used in this model is called Dis-criminative Restrictive Boltzmann. The performance of this approach is not impressive because it suffers from many classifications errors because of the vague notion of normal traffic.

(19)

uses non-stationary model so if an event last occurred t seconds ago, then the probability it oc-curs in the next one second is approximated by 1/t. In PHAD each packet header field containing an unusual and unexpected anomalous value is assigned a score inversely proportional to the probability

Scoref ield=tn/r

To score the packet, as the fields of the packet are not independent because the fields occur sequentially, for k consecutive anomalies the packet score is

Scorepacket=Ptini/ri

Where i₂anomalous fields, the fields not found in the testing or training data.

PHAD detected attacks (i.e. DOS, SMTP buffer overflow, R2L, DNS buffer overflow, SYN flood, ping of death, backdoor install, NT bug exploit, UTR, probe) via anomalies like, weird TTL field value, bad TCP checksum, fragmented IP, FIN without ACK, IP source address, outgoing packet size. Many of the attacks like ffbconfig, httptunnel, ntfsdos, sqlattack, sshtrojan, tcpreset were not detect mostly because in these attacks vulnerabilities at the application layer are exploited which is not monitor by PHAD.

Ye et al. [51] presents an anomaly detection system that is based on Chi-square statistic. In this method profile of normal behavior of traffic in a network is formed and the deviation from the normal behavior is considered as anomaly. This approach uses modified version of Hotelling T2 statistics; which is a multivariate statistics that can anticipate multiple subjects, multiple actions and multiple behaviors to compare the patterns of normal and anomalous traffic. This approach establishes a normal behavior profile thats compared with the observed behaviour. Modified version of Hotelling T2 statistics

X2=

n

X

i=1

(Xi Ei)2/Ei

Where Xi denotes the observed value of the ith variable, n is the size of data sample, Ei is the expected value of the ith variable and n is the number of variables. To estimate the expectation

¯

X1,X¯2, ....X¯nwhere is sample mean vector of expected value. The previous equation becomes

X2=

n

X

i=1

(20)

X2is the sum of squared differences between the observed and expected values of the variable.

If the value ofX2 _{is small it means the observed traffic is similar to the expected traffic. The}

anomaly detection rate of this approach is tested on a small dataset. For large set of dataset this technique lacks performance and scalability because of the fact that its is hard to fully define normal traffic for a better estimation.

Bolzoni et al. [52] presents POSEIDON anomaly-based network intrusion detection system. It is a combination of two different techniques, Self-Organization Map (SOM) and modified PAYL [42]. SOM has the capability of high quality classification of payload data so it is used to form profiles, while n-gram algorithm used in PAYL has the knack of better detection of anomaly with respect to the normal behaviour. In this approach packets are classified in an unsupervised manner using neural networks (SOM). As POSEIDON is packet oriented so during the training phase for given dataset, a set of Models Mnjk are computed for each packet where j is the destination address, k is destination port and n is the classification derived from the neural network which is computed during SOM phase. Model Mnjk stores the average byte frequency and the standard deviation of each byte frequency. During the detection phase the value of each incoming packet is compared to the model value. Large deviation from the norm value causes an alarm. Compare to PAYL [42] and PHAD; POSEIDON has higher detection rate and lower number of false positives. Thus if an attacker insert extra bytes in the payload, which results in different classification and an alarm is flagged. But in this approach the implementation of SOM is not optimal because if the attacker inserts small malicious payload that has the same byte frequency distribution as of normal traffic and the attack cant be detected. The real challenge in detecting attacks is when the traffic doesnt look significantly malicious which is the case in application layer attacks. 75% of the successful attacks happened on application layer and 80% of enterprises become victim of application layer attacks [57].

(21)

(b) Statistical anomaly detection technique

The goal of statistical Anomaly detection is to identify some traffic parameters, which can be used to describe the network traffic and that vary significantly from the normal behaviour to the anomalous. For example packet length, inter-arrival time, flow size and the number of packets per flow [29]. In statistical anomaly detection method, a profile of the user is formed on the ba-sis of his behaviour (audit logs, incoming traffic etc.) and this profile is stored. Anomalies are flagged when the user current behaviour varies from the stored profile. The advantage of this technique is that it is a good indicator of detecting malicious activities. An obvious disadvantage is that an attacker can deceive the detection system to consider malicious traffic as normal traffic.

Abouzakhar et al. [53] developed statistical detection model, which uses Chi-Square statistics to detect Network based intrusions. This approach comprise of three steps; First step is Net-work traffic categorizer & data pre-processing in which the TCP flags are extracted of each input packet, frequency distribution is generated, split into four categories as number of RST, SYN, ACK, ICMP packets per second and average number of packets per second is calculated for each category. Secondly, Chi-square Goodness-of-fit test is used to detect anomaly by compar-ing the Chi-squared values of the expected (normal) traffic and the observed traffic.

X2=

k

X

i=0

(Oi Ei)2/Ei

WhereOi is the observed frequency for a category,Eiis the expected frequency for a category

and k is the number of observations in the sample. Thirdly, decision phase an alarm is raised if the Chi-square value of the observed traffic is higher than the Chi-Square value of the normal traffic. Such an approach works efficiently for small and static network in which the number of protocols used are known and fixed. For large and dynamic networks with varying number and types of protocols this approach lacks efficiency and performance.

(22)

or model. In this phase two distributions are compared. Simplified Mahalanobis Distance is used to compare the two statistical distributions, the model and the received payload. So any payload that is found to be too distant from the normal expected payload is considered as anomalous and alert is generated. While within each port the length of the payload differs for example TCP packet length ranges from 0 to 1460; so different length of payloads have different type of pay-load. Thus in PAYL they compute a payload model for each different length range for each port and service and for each direction (inbound, outbound) of payload flow. To compute this payload model they used N-GRAM analysis and in particular byte value distribution (n=1). In a payload, N-GRAM is a sequence of adjacent bytes. A Model Mij ( i is the payload length for a port j) stores the average byte frequency and the standard deviation of each bytes frequency. So a payload is characterized by combination of means and variance of each bytes frequency. For example if there are 10 ports and each ports payload has 10 different lengths then there can be 100 models. During the detection, each incoming payloads byte value distribution is computed and then com-pared with if the distribution is different the detector flags the packet as anomalous and generates an alarm. The distance between the byte distribution of the received payload and the profile from the model computed for the corresponding length range is measured. If the distance is higher it is likely that the payload is anomalous. The simplified Mahalanobis distance is given below

d(x,¯y) =Pn_i₌₀1(_|xi-y¯i|/(¯i+ ))

Where¯is the standard deviation, is the smoothing factor which represents the statistical con-fidence of the sampled training data, n is 256 possible byte values, x is the new feature value andy¯is the average feature value computed from the training data. Although with PAYL attacks using TCP can be detected, while attacks that use UDP, ICMP and ARP cannot be detected. Also attacks that doesnt include payload cannot be detected so remote code execution attacks cannot be detected with this technique.

Krugel et al. [58] approach is based on utilizing the application level knowledge to protect the net-work services from intrusion. Such an application level model allows the detection of malicious contents hidden in single network packets. The idea behind service specific anomaly detection is to include application payload information along with packet header information. So network traffic is partitioned and independently analyzes packets sent by different applications. Concen-trating on one type of service traffic allows the collection of statistical data with less variance and thus allowing precisely establishing notion of normal traffic for each service. This approach is trained for a specific training period during which it reads packets from the network, this data is split into service specific traffic and normal profile of each service is formed. During the detection, observed traffic is compared with normal profiles.

(23)

17

Chapter 3

Preliminary Knowledge

3.1 Server Message Block Protocol

Server Message Block protocol (SMB) is a client-server and request-response protocol in a computer network. SMB protocol can be used on the top of protocols like TCP/IP, IPX/SPX or other network protocols. It is installed in almost all Microsoft Windows machines. Through SMB protocol clients can access files that are present on the server. Based on the file access control, the client can create, read and update the files on the server. Including file system support, SMB protocol also specializes in Inter process communication (IPC). IPC share is useful because it facilitates data exchange be-tween computers over SMB protocol. SMB protocol is evolving and continuously updating protocol. It evolved from CIFS to SMBv1 to SMBv2 to SMBv3. SMB protocol is remote sharing/file protocol for accessing files and printers across the LAN and WAN. Many Operating systems vendors like Apple, EMC, Microsoft, and Linux have implemented SMB protocol. With the passage of time Windows has made enormous improvements to the protocols such as adding Kerberos authentication, Signing using HMAC MD5 and many other improvements. SMBv2 is the first upgraded version of SMB. Com-pare to SMB, SMBv2 has increased file-sharing scalability, security, number of round trips of request is reduced, asynchronous operations, and the larger reads and writes (more data in each packet). Security related improvements are the signing uses HMAC SHA-256, and also the size of command set is reduced from 75 to 19 [2]. In older versions of Windows (e.g 95,98, ME & NT), SMB shares ran on NETBIOS over TCP/IP (NBT) on ports 137/tcp and UDP, 138/UDP, and 139/tcp. However, in later version of Windows (e.g 2000 and XP), it is possible to run SMB directly over TCP/IP on port 445/tcp [87]. For further information see [4].

(24)

[image:24.595.144.427.84.225.2]

pass-18 CHAPTER3. PRELIMINARYKNOWLEDGE

Figure 3.1.1:Microsoft SMB Protocol Packet Exchange Scenario

word to access a share. In share level authentication each share is protected individually. So the client has to provide password for each share. The password is encrypted in both the cases. Some of SMB supported authentication protocols are WindowsNT Challenge/Response NTLM, NTLMv2, KERBEROS, W2K and NT Domain Authentication. NTLMv2 authentication is based on challenge response, which contains nonce from a client and nonce from server.

(25)

[image:25.595.168.458.87.200.2]

3.1. SERVERMESSAGEBLOCKPROTOCOL 19

Figure 3.1.1.1: Phishing style attack abusing SMBs automatic authentication

This research work is specifically about three major attacks through SMB that are running a process remotely using PsExec[99], running a service through Windows management instrumentation and Pass the hash. How this goal can be achieved is discussed in the later section of this paper. SMB protocol is an attractive protocol for attackers because of the reasons describe below:

(a) SMB is installed in all Windows Operating Systems and it is a trusted file sharing protocol.

(b) Attackers can exploit SMB vulnerabilities with legitimate tools, which helps attacker to avoid de-tection. Tools like PsExec[99], and WMI[101].

(c) Attacker can exploit SMB vulnerabilities to perform lateral movement attack.

3.1.1 SMB protocol Vulnerabilities

Below are described some of the well-known SMB protocol vulnerabilities that can be exploited by an attacker to perform lateral movement attack:

(i) SMB-RELAY, which is a specific type of man in the middle attack perform to steals users SMB credentials.

(ii) Phishing style attack abusing SMB protocol automatic authentication as shown in Figure 3.1.1.1, is another way for the attacker to get SMB protocol credentials of a victim is to trick a victim to click on a link, which causes the browser to authenticate with a remote SMB server but the at-tacker controls this server. The link might look like192.168.1.1_\Y ourf ile.pdf. While 192.168.1.1

can be the IP address of the untrusted SMB server controlled by the attacker.

(26)

20 CHAPTER3. PRELIMINARYKNOWLEDGE

(iii) The vulnerability is an index error in the SMB2 protocol implementation in srv2.sys, which al-lows remote attackers to either cause a denial of service attack or execute remote code on a vulnerable system through an ampersand (&) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet. This triggers an attempted dereference of an out-of-bounds memory location [19].

(iv) CVE-2009-2532: Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC do not properly process the command value in an SMB Multi-Protocol Negotiate Request packet, which allows remote attackers to execute arbitrary code via a crafted SMBv2 packet to the Server service, aka ”SMBv2 Command Value Vulnerability” [20].

(v) Microsoft Windows is prone to a remote code-execution vulnerability that affects RPC (Remote Procedure Call) handling in the Server service. An attacker could exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploitations result in the complete compromise of vulnerable computers. This issue may be prone to widespread automated ex-ploits. Attackers require authenticated access on Windows Vista and Server 2008 platforms to exploit this issue [21].

(vi) CVE-2012-4774: Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allow remote attackers to execute arbitrary code via a crafted (1) file name or (2) subfolder name that triggers use of unallocated memory as the destination of a copy operation, aka ”Windows Filename Parsing Vulnerability ”[22].

(vii) In situations where the Windows shares are not properly configured, these poorly configured shares can be exposed to the rest of the internet. Attackers can exploit abominably protected shares by exploiting week or null passwords and thus gain access to the administrative shares.

3.2 BRO Network Analyser

(27)

[image:27.595.156.471.84.339.2]

3.2. BRO NETWORKANALYSER 21

Figure 3.2.1:BRO Architecture

network traffic patterns and usage [5]. BRO supports both signature-based and anomaly-based detection. In this work we research a solution for lateral movement that can be used by BRO. An advantage of anomaly based intrusion detection system is to detect new attacks. We have chosen BRO because it is well-known open-source tool, that is widely used by the entire security community. Bro architecture as shown in Figure 3.2.1 comprises of: the libpcap libraries, an event engine and a policy script interpreter. Below is the brief description of BRO architecture.

3.2.1 LIBPCAP:

Libpcap is a portable packet-capturing library. It extracts packets from the network packet stream. The packets can be FTP, Telnet, Rlogin, IP fragments, SMB and TCP packets (SYN, FIN, RST). Libpcap helps in reducing the load because with libpcap packet of specific protocol can be extracted. Libpcap adds significant advantages to BRO; it isolates BRO from details of the network link tech-nology (Ethernet, FDDI) [27]. And if the host operating system provides a sufficiently powerful kernel packet filter, such as BPF, then libpcap downloads the filter used to reduce the traffic into Kernel. In BRO it is easy to specify which packet to capture by specifying the bits of the TCP header for example

tcp[13]&7! = 0

# where 13 is static offset in TCP header, it points to 13th octet which contains TCP flags.

(28)

[image:28.595.129.440.85.343.2]

Figure 3.2.2.1: TCP events

set. Although in packet filters through Snapshot length it is possible to specify the size of a packet to be captured while in the BRO the size of Snapshot length is full packet.

3.2.2 Event Engine

(29)

[image:29.595.157.470.87.226.2]

3.3. K-NEAREST NEIGHBOUR ALGORITHM 23

Figure 3.2.2.2:UDP events

In case of UDP processing, the events are shown in Figure 3.2.2.2

3.2.3 Policy Script Interpreter

Once Event Engine generates the events, policy script interpreter process the events and forms real time notifications, recording data, or changing the internal state. The policy script interpreter executes scripts written in Bro language. These scripts specify event handlers. Adding new functionality to Bro generally consists of adding a new protocol analyzer to the event engine and then writing new event handlers for the events generated by the analyzer [27].

3.2.4 BRO platform

Paxson et al. [27] describes how BRO network security monitor is built. In this paper they presented an overview of BRO design, BRO language, application specific processing and future possible im-provements. Application specific processing includes FTP , Finger, Portmapper, and Telnet. This paper also describes possible attacks against Bro and their mitigations, attacks such as Overloads attacks, crash attacks, and Subterfuge attacks. During the initial development phase there was no support for SMB, so in this paper it is not mentioned Bro supporting SMB protocol. Remote ex-ploitation is an appealing technique for attackers to take control of vulnerable machines, protocols and perform lateral movement. According to the best of our knowledge so far there is no standard evaluation technique or model to implement BRO to detect lateral movement attack through SMB.

3.3 K-nearest neighbour algorithm

(30)

the stored data and the new instance is calculated by means of a similarity measure. This similarity measure is typically calculated by a distance measure such as Euclidean distance, Minkowski dis-tance, or Mahalanobis distance. In other words, the similarity to the data that is already stored in the system is calculated for any new instance that is input into the system[89]. One of the most popular choices to measure this distance is known as Euclidian distance [97]. It is the easiest distance calcu-lation method. It calculates the approximate distances between various points on the input vectors, and then assigns the unlabelled point to the class of its K-nearest neighbours. In our case we have used Euclidian distance. Then, this similarity value is used to perform predictive modelling. Predic-tive modelling is either classification, assigning a label or a class to the new instance, or regression, assigning a value to the new instance. For our model we have performed classification. In k-NN classification, the output is a class membership [90]. An object is classified by a majority vote of its neighbours, with the object being assigned to the class most common among its k nearest neigh-bours (k is a positive integer, typically small) [90]. In the process of creating k-NN classifier, (k) is an important parameter and various (k) values can cause various performances. If k is very huge, the neighbors, which used for prediction, will consume large classification time and affect the prediction accuracy. If k = 1, then the object is simply assigned to the class of that single nearest neighbour. In our case we have selected k=3. After the distance of the new point to all stored data points has been calculated, the distance values are sorted and the k-nearest neighbours are determined. The labels of these neighbours are gathered and a majority vote or weighted vote is used for classification. In other words, the higher the score for a certain data point that was already stored, the more likely that the new instance will receive the same classification as that of the neighbour [89].

3.3.1 Model Validation

Model validation is motivated by two fundamental problems[112]: model selection and performance estimation. Model selection means what is the optimal model for a given classification problem and performance estimation means how to estimate the performance of the selected model. There are different techniques to validate the classifier (model)

(1) Cross validation method

(31)

Cross validation includes[113]:

• Splitting the original dataset into k equal parts (folds)

• Takes out one fold aside and performs training over the rest k-1 folds and measures the performance

• Repeat s the process k times by taking different fold each time

(2) Holdout Method

The dataset is split into two equal sets: training set and test set. Training set is used to train the classifier while the test set is used to validate the classifier by estimating the error rate of the trained classifier. This method has two drawbacks: it can not be used in problems where we have a sparse dataset we may not be able to afford the luxury of setting aside a portion of the dataset for testing and since it is a single train-and-test experiment, the holdout estimate of error rate can be misleading [112]. This drawback can be avoided with cross validation method.

(3) Percentage Split

In this method the dataset is randomly split into two set: a certain percentage of the dataset used to train and the rest used for testing. For example 80% of the dataset is used for training the classifier and 20% of the dataset is used to validate the classifier [114].

Chapter 4

Lateral Movement Attack techniques

As we discussed in the previous chapter that SMB protocol is vulnerable to large number of exploits. Once these SMB vulnerabilities are exploited, below are the tools and methods that attacker can use to perform lateral movement attack. In this project we are discussing three main methods and tools, PsExec[99], WMI[101] and Pass the hash.

(32)

26 CHAPTER4. LATERALMOVEMENTATTACK TECHNIQUES

4.0.1 PsExec

PsExec[99] is part of PsTools suite owned by Microsoft. PsExec is a lightweight telnet-replacement that lets you execute processes on other systems, without having to manually install client software. PsExec’s most powerful uses include launching interactive command-prompts on remote systems and remote enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems [1]. Most of the network administration tools are developed to provide flexibil-ity in managing interconnected devices, and services. As long as these tools are used by legitimate people and for legitimate purposes so the purpose of these tools is achieved. But if misused for malicious activities it can be destructive. It is the same case with PsExec. PsExec can be used for malicious activities. For the PsExec to work, two requirements must be fulfilled, first requirement is both local and remote computers must enable file and print sharing and second requirement is remote computer must have defined Admin$ share. PsExec command given below can be used to execute malicious code on remote machine.

Psexec.exe _\\IP address of remote machine u username p password maclicious.exe

When PsExec is executed it defaults to the%SY ST EM%directory on the remote system so there is no need to specify a full path.

How the attack works

PsExec[99] is not only valuable for administrator but for the attacker as well. As long as the attacker has the credentials of the victim machine, using PsExec[99] the attacker can upload malicious code on the victim machine. Let us suppose a scenario as shown in Figure 4.0.1.1, in which the attacker has a malicious file (.exe), which the attacker wants to execute on a victim machine. Using the victim credentials the attacker authenticates to the victim machine and try to gain access to the Admin$ share (C:\Windows). Access to Admin$ share is important specially when deploying software (in our case malicious code) to the victim machine. Credentials supplied to PsExec[99] have the permission to access Admin$ share. Once the attacker get access to the Admin$, he can push the executable (.exe) malicious code into the Admin$, IPC$ shares. Now the attacker makes a separate call to the Remote Procedure Call (RPC) on the victim machine, which is running over the SMB protocol. Through RPC the attacker can talk with the Service Control Manager (SCM). SCM is maintaining and managing all the services running in the background. SCM loads the executable (.exe) and treat it as a service. Once the SCM puts the malicious .exe file in the memory the service shutdowns.

(33)

[image:33.595.169.456.84.193.2] [image:33.595.171.456.248.383.2]

27

Figure 4.0.1.1: PsExec Attack scenario

Figure 4.0.1.2: Local Authentication Token

Thus leading to lateral movement attack. There are many ways to perform lateral movement after the initial compromise. Below are the two methods that are briefly explained.

(1) Local Authentication Tokens: Session abuse

(34)

[image:34.595.127.436.89.165.2]

Figure 4.0.2.1: WMI client and server. Server in the Figure is a remote computer for which the attacker has the credentials and wants to know the operating system or hardware configurations and wants to start a service or process on it using DCOM or WinRM.

(2) Credential Reuse

In large environments the usage of same credential for many accounts and machines is very common. Credential reuse might make the System Admin task easier to remember only one password for many machines, but it is problematic as well because if the attacker got access to one password he can access all the machines. Credential reuse exploitation happens when many machines are having same password or hashes. For example if the attacker obtains the NTLM hashes of one SMB target, he can reuse the same hashes against other SMB targets in the network. The attacker can use METASPLOIT tool Credential Domino Meta Module for credential reuse. It provides an automated credential reuse. If the attacker comprises one machine in the network, the tool does the rest. With the compromised one machine and the tool in place, for the attacker it is very easy to do lateral movement across the network. Credential reuse is mostly used against the services like SMB, SNMP, SSH, TELNET, MSSQL, and MySQL. Credential reuse is serious issue because if a system thats vulnerable to credential reuse exploitation allow the attacker to bypass all the security controls and patches. Tool like Credential Domino can be used to abuse credential reuse. It shows machines that are accessible from each other using credential reuse.

4.0.2 Windows Management Instrumentation

Windows management instrumentation (WMI)[101] is a tool that is implemented as service to locally and remotely manages data, operations and configuring settings on windows operating systems.

(35)

29

locally and remotely. The reason WMI is so powerful remotely is the fact that, there are many WMI events, which allow administrator and attacker to install backdoor, code execution as well as do lateral movement. There are two protocols (DCOM and WinRM) that give the system administrator the ability of remote object queries, event registration, WMI class execution and call creation. For more in- depth information about WMI see[13].

WMI Eventing

WMI can generate customized events that can be triggered when a process is created or a specific event happens. This is very useful for administrator because he can configure WMI to trigger an event when a process is created or an event happens. On the other hand, attackers can also leverage this WMI feature and use it for malicious purposes. For example he can install a persistent backdoor (run the malicious code) every time the system restarts. Figure 4.0.2.2 shows the simplified overview of WMI. In order to trigger off an event there are three requirements

(i) Event Filter

Through Event Filter the admin or attacker can specify the events of their interest. Event like systems restarts, user logoff, new process is created.

(ii) Event Consumer

If the event that is specified in Event Filter triggers, in Event Consumer the Admin or attacker specify action of their interest to happen. The action can be i.e. run the executable script.

(iii) Binding Filter and consumer

Once the Event Filter and Event Consumer are created, in Binding Filter and Consumer an association is created between Event Filter and Event Consumer.

Based on the above three specifications, a WMI event triggers.

How the attack works

Below are two methods which shows how WMI is used in lateral movement attack.

(1) Creating Malicious Event

(36)

[image:36.595.131.438.86.253.2]

Figure 4.0.2.2: simplified High overview of WMI. Simplified and redesigned inspired from [13]

As the attacker has the valid credentials (password or hashes) he can specify malicious events to happen for example every time the victim restarts the computer run the executable that is present in the specified directory. In the example below, the attacker defines the WMI Eventing require-ments as; Event filter as System restart, Event Consumer as run the executable with SYSTEM privileges that has been dropped before and Binding (FilterToConsumerBinding) binds the filter and consumer. This attack is a persistent attack; every time the system restarts the malicious code gets executed on the victim machine. Event Consumers like ActiveScriptEventConsumer and CommandLineEventConsumer allows attacker to execute any payload against the victim machine.

(2) Win32 Process Create Method

In this attack, the attacker is using WMI Win32 Process class as a mean of attack. The top-level of the WMI structure is the namespaces. Namespaces are referred to different components of the computer like (DNS, Windows, SQL). Classes are inside the namespace i.e. class for battery. These classes also have methods. There are methods to see the management information, methods to spawn a process remotely or locally and to change the configuration of the local or remote machine. CREATE method is what attracts attacker attention. With this method the attacker can start a local or remote process against the target and allow the attacker to run malicious executable against the tar-get system. CREATE method is a better alternative of PsExec[99]. Below is an example of executing process on remote machine using CREATE method [13]

(37)

31

4.0.3 Pass the Hashes

This is a type of attack in which the attacker steals victim hashes. Without even cracking the hashes, the attacker uses the hashes to impersonate the victim and login into the victim account or system. This attack be carried out against any machine but it is more famous against Windows machines. Attackers are interested in hashes because many machines can be accessed with the same hash, remote machines accept hashes so the attacker does not need to bother about cracking it, and Win-dows does not support salting so the hashes remain the same as long as the password is changed. The lack of a salted NTLM hashed password value ultimately means you do not need to crack a password in Windows, all you need to do is simply dump the hashes from memory and pass that to access a remote system. Detecting pass the hash attack will limit the impact and help in detecting lateral movement. Any system using LM or NTLM authentication in combination with any commu-nication protocol (SMB, FTP, RPC, HTTP etc.) is at risk from pass the hash attack. The exploit is very difficult to defend against, because there are countless exploits in Windows and applications running on Windows that can be used by an attacker to elevate their privileges and then carry out the hash harvesting that facilitates the attack. Also there are many techniques that allows attacker to steal the hashes; using administrator privileges he dumps the hashes from Local Security Authority Subsystem (LSASS) this is the place where hashes are saved, this type of attack is called file-based attack or the attacker injects malicious code into LSASS process and dumps the hashes this type of attack is called process-based attack.

(1) Dumping hashes from Local Security Authority Subsystem Service of the user machine (File based attack)

(38)

then he can use PRODUMP tool to dump the memory of Isass.exe process, which contains the users credentials. So now the attacker has to search this memory and find the username and hashes. Command to dump lsass.exe process.

C:\Prodump> prodump.exe ma -accepteula lsass.exe thedump.dmp

Once the Isass.exe process is dumped, the attacker downloads thedump.dmp file to his machine from the victim machine. The attacker then uses Mimikatz tool to extract the usernames and plain passwords from the thedump.dmp file. Mimikatz commands [16]

Mimikatz #sekurlsa::minidump lsass.dmp Switich to Minidump

Mimikatz # sekurlsa::logonPasswords full

As the plaintext passwords are extracted, the attack would become pass-the-password instead of pass-the-hash.

(2) Process-based attack

LSASS constantly communicates with a database file on the file system called NTDS.dit. This is the database that the Active Directory syncs it information to, about every five minutes usually. Which means that all the usernames and password hashes are stored in NTDS.dit. Only LSASS process can access this database and is locked for user or attacker. What the attacker does is, to utilize Volume Shadow Copy Service (VSS). VSS is windows based backup service. The attacker asks VSS to backup the C volume, assuming that the NTDS.dit is in C volume. Thus once the attacker got the backup of the C volume, he search into there for the NTDS.dit and pulls it out. Using tools like NTDS Extract; the attacker can find the username and hashes [17]. VSS is by default OFF in Windows server 2012. The attacker can ON it. But normally this raises red flag. Figure 4.0.3.1 shows the process based attack.

(39)

[image:39.595.156.469.88.262.2]

33

Figure 4.0.3.1:Pass-the-Hash (Process based attack)

Chapter 5

Our Model

This chapter discusses the complete description of our lateral movement detection approach, along with the description of datasets we used for the analysis and testing and finally the statistical evalua-tions of the approach.

5.1 Description of Datasets

The datasets that are analysed and tested in our analysis and evaluations are from multiple sources:

5.1.1 A Home lab setup

(40)

34 CHAPTER5. OURMODEL

behaviour is simulated, while malicious datasets contain attacker behaviour. Tools like PsExec[99], PsExec.PY[100], Windows management instrumentations[101], Metasploit[102], Windows Manage-ment InstruManage-mentation Command-line[103], and Veil-Evasion[104] are used to generate normal and malicious datasets. The total size of the datasets generated at Home lab is 459Mb. The total time duration of these datasets is approximately 13 hours.

5.1.2 An advanced forensics challenge [98]

On 23rd August 2014 Machnetico company discovered strange traffic on their network for two days. The forensics challenge is, being an incident response specialist to investigate the breach on Mach-netico network. Advance forensics challenge datasets duration is two days containing both normal network traffic and one malicious lateral movement attack traffic. The total size of advanced forensics challenge datasets is 17.7Gb.

5.1.3 Datasets from a real corporate network

Real corporate network datasets are from medium sized corporate network containing both normal and malicious datasets. The malicious datasets contain one attack (lateral movement) where first one user account is compromised by guessing weak passwords. After getting hold of the compromised credentials, the attacker started using Meterpreter[105] malware and finally the attacker gained con-trol over the whole windows domain and finally all workstations and servers were compromised. The total time duration of datasets from real corporate network is approximately 9 hours.

We divided the datasets discussed in Section 5.1.1, 5.1.2 and 5.1.3 into smaller datasets. Each smaller dataset is of time duration T=10 minutes. We divide it in smaller datasets because that is how our detection mechanism works. Approximately 150 small normal and malicious datasets are used for analysis and testing purposes. All the datasets contain both SMB1 and SMB2 traffic from Windows 7 and Windows 8 operating systems and Windows Servers.

5.2 Research Strategy

(41)

[image:41.595.155.463.83.267.2]

5.3. INITIAL DETECTION TECHNIQUES 35

Figure 5.1.3.1: Architecture of the home-lab

Security Support Provider (NTLMSSP), Remote Procedure Call (RPC) are exploited to generate ma-licious datasets and these protocols are used normally to generate normal datasets. Tools like WIRE-SHARK[106], Network miner[107], Scapy library[108] and BRO-network analyser [109] are used to analyse the traffic. During our analysis we analysed the behaviour of these protocols in normal traf-fic datasets and as well as malicious traftraf-fic. By looking at the traftraf-fic, we considered nine possible features we thought could help us detecting lateral movement, which are described in Section 5.3. After this initial brainstorming phase, we have deeply investigate those features and removed some of them from our list, because we believed were not effective enough in detecting lateral movement. In the next Section we motivate our reasons for exclusion of those features. However, we did not scientifically proved that they are effective for the detection. So finally we decided on five detection techniques, which we have implemented and evaluated to detect anomalous behaviour. The results of the evaluation, discussed in Section5.6, tell us that these features can precisely identify possible lateral movement attacks.

5.3 Initial detection techniques

As mentioned earlier, initially we researched nine techniques to detect lateral movement which are described below

(1) Known IP pairing

Detecting Lateral Movement Attacks through SMB using BRO

Faculty of Electrical Engineering,

Mathematics & Computer Science